Let’s Encrypt Extension for Azure App Services

Let’s Encrypt Extension for Azure App Services

Thanks to Simon J.K. Pedersen (https://github.com/sjkp) there is now a reasonably easy way to get auto-updating “Let’s Encrypt” SSL certificates in you Azure App Services using the “Azure Let’s Encrypt” Extension (https://github.com/sjkp/letsencrypt-siteextension).

There are some very comprehensive install and setup steps here https://github.com/sjkp/letsencrypt-siteextension/wiki/How-to-install

I found that I needed to ensure that all the App Settings were correct to get things going as the automatic install didn’t quite do it and threw a couple of exceptions. Although I think an update may have fixed this now.

These are the App Settings I have and all is working well.

The issues I encountered:

Error: “‘authority’ Uri should have at least one segment in the path…” when clicking next on the first page of the automatic installer.

Resolution: Manually populate any missing App Settings as shown above.

Error: “Access to the path ‘.well-known\acme-challenge’ is denied.” when attempting to request a certificate.

Resolution: Enter the default path into the ‘letsencrypt:WebRootPath’ regardless of whether the site is in the default location or not.



2 thoughts on “Let’s Encrypt Extension for Azure App Services

  1. Do you know why this doesn’t work behind azure traffic manager? Their github repo says
    “No support for multi-region web apps, so if you use traffic mananger or some other load balancer to route traffic between web apps in different regions please dont use this extension.”

    Just curious as to why.

    1. I suspect it has something to do with making multiple certificate applications to LetsEncrypt for the same FQDN from different servers. I think only one server can make a certificate request for a given domain. It essentially becomes the CA. A second request from another server for the same FQDN will either be rejected or the previously requested certificates revoked.
      However, in theory, there is no reason why you shouldn’t be able to use the same certificate across all your regional instances so long as they have the same FQDN(s). As a strategy, it may be best to have one app service (primary) responsible for the certificate requests and renewal. Then a scheduled PowerShell task to copy and import the certificates from the primary to the other regional App Services. Do let me know if you find a solution.

Leave a Reply